Amazon Bedrock Guardrails Adds InvokeGuardrailChecks — Apply Per-Step Safety Checks Inside Agentic Pipelines Without Managing a Guardrail Resource
TL;DR
Amazon Bedrock Guardrails announced InvokeGuardrailChecks on June 16, 2026 (AWS Machine Learning Blog) — a new API that lets builders apply content filters, prompt-injection detection, and sensitive-information filters at any point inside an agentic loop without creating, versioning, or managing a guardrail resource. Unlike the existing ApplyGuardrail API, InvokeGuardrailChecks is resourceless: safeguards are specified inline per request with no guardrail ARN required. It operates in detect-only mode and returns numeric severity/confidence scores (discrete values from 0 to 1.0) per safeguard category — so teams set custom thresholds and decide per step whether to block, bypass, retry, or log. IAM permission required: `bedrock:InvokeGuardrailChecks`. The blog walks through setup with a us-east-1 example; regional availability applies per AWS documentation.
June 16, 2026
InvokeGuardrailChecks announced on the AWS Machine Learning Blog — new Bedrock Guardrails API for agentic pipelines
Resourceless
No guardrail ARN or resource required — safeguards specified inline per request, no versioning overhead
Detect-only
Returns numeric scores (0–1.0 discrete values) per category; application logic applies thresholds and decides to block, bypass, retry, or log
3 categories
Content filters, prompt-attack detection (standalone), and sensitive-information filters across 31 PII entity types
Amazon Bedrock Guardrails launched InvokeGuardrailChecks on June 16, 2026, announced on the AWS Machine Learning Blog — a new API designed for builders running multi-step agentic pipelines who need to apply different safety checks at different points in the loop without the overhead of managing guardrail resources.
What InvokeGuardrailChecks does differently. The existing Bedrock Guardrails ApplyGuardrail API requires a guardrail resource — you create, version, and reference a guardrail object by ARN, and it applies a uniform policy across the application. InvokeGuardrailChecks removes that requirement entirely: safeguards are specified inline per request, there is no guardrail ID or version to track, and the check can be called at any step in the agentic flow. AWS describes this as enabling builders to "apply individual safeguards, also referred to as safety checks, at any point in your agentic AI applications."
Detect-only mode and numeric scores. InvokeGuardrailChecks runs in detect-only mode — it does not block or mask content itself. Instead, it returns numeric severity or confidence scores for each safeguard category, with discrete values of {0, 0.2, 0.4, 0.6, 0.8, 1.0}. The application logic reads those scores, compares them against developer-defined thresholds, and decides what to do: block the step, bypass and continue, retry with a modified prompt, or log for review. This gives teams control over how aggressively each stage of a pipeline is guarded — tool-call validation can use a different threshold than final output filtering.
Supported safeguard categories. Three categories are available at launch. Content Filters detect hate, violence, sexual content, insults, and misconduct. Prompt Attack Detection — which can be invoked independently of content filters — detects jailbreaks, prompt injection, and prompt leakage. Sensitive Information Filters cover 31 PII entity types including email, phone, SSN, and credit cards; results include character offsets (`beginOffset`, `endOffset`) for precise identification. The blog notes that prompt attack detection is separated as a standalone check, unlike ApplyGuardrail where it is bundled with content filters.
IAM and regional setup. The required IAM permission is `bedrock:InvokeGuardrailChecks` with `Resource: "*"` — consistent with the resourceless design. The blog's example uses `region_name="us-east-1"` and recommends scoping regional access via `aws:RequestedRegion` conditions in IAM policy. No pricing information was provided in the announcement post; check the Bedrock pricing page for current rates.
Operator relevance. InvokeGuardrailChecks is relevant regardless of which LLM is running on Bedrock. Any multi-step agentic workflow — tool orchestration, retrieval-augmented generation, automated coding loops — can now instrument individual steps with targeted safety checks at the threshold level appropriate for that step, without creating a separate managed guardrail configuration. The tradeoff is that detect-only means the guardrail does not act — the application must act on the scores.
Why It Matters
InvokeGuardrailChecks addresses a real gap in agentic pipeline safety — the inability to apply different guardrail thresholds at different steps without managing separate guardrail resources for each. Builders running multi-step loops on Bedrock can now instrument individual stages (tool calls, intermediate reasoning, final output) with the appropriate level of scrutiny for that step. The resourceless design reduces setup friction significantly: no guardrail ARN to manage, no versioning, inline specification per request. The detect-only constraint is the key tradeoff: scores are returned, not actions — the application must implement the block/bypass/retry/log logic itself, which requires engineering discipline to do consistently across a complex agentic flow. Teams that need Bedrock to enforce guardrails automatically will still need the ApplyGuardrail approach; InvokeGuardrailChecks is for teams that want instrument-then-decide control.
Who's Affected
- — Builders running multi-step agentic pipelines on Bedrock — now have a lightweight API to add per-step content safety checks without managing guardrail resources. Relevant for any LLM running on Bedrock.
- — Enterprise teams with compliance requirements around PII and prompt injection — the 31-entity sensitive-information filter and standalone prompt-attack detection give targeted coverage at each pipeline step.
- — Teams already using Bedrock Guardrails via ApplyGuardrail — InvokeGuardrailChecks is an addition, not a replacement. Both exist; choose based on whether you need uniform enforcement (ApplyGuardrail) or step-level control (InvokeGuardrailChecks).
- — Security and platform engineers designing agentic safety architectures on AWS — the numeric score model requires implementing your own enforcement layer; factor that into design effort.
What To Do Now
- 1. Use InvokeGuardrailChecks for per-step threshold control, not uniform enforcement. If you need Bedrock to automatically block or mask across your whole application, the existing ApplyGuardrail API is still the right tool. InvokeGuardrailChecks is for workflows where different steps need different risk tolerances.
- 2. Detect-only means you own the action logic. The API returns scores; you decide what to do. Build your block/bypass/retry/log logic before deploying — an unchecked score that is never acted on provides no safety.
- 3. Scope IAM per region. The blog recommends `aws:RequestedRegion` conditions on the `bedrock:InvokeGuardrailChecks` permission. Apply this from the start rather than retrofitting it after launch.
- 4. No pricing was stated in the announcement. Check the Bedrock Guardrails pricing page before estimating costs — each InvokeGuardrailChecks call is a distinct API invocation, and a high-frequency agentic loop will generate volume.
More from ToolNav News
Anthropic's Project Glasswing reports 10,000+ vulnerabilities in one month — and Claude Security is now in public beta
2026-05-28
Databricks Launches Genie One GA — An Agentic AI Coworker for Every Business Team, Priced on Usage Not Seats
2026-06-17
Salesforce takes Agentforce multi-agent orchestration to GA — Atlas Reasoning Engine 3.0, A2A, and hosted MCP servers ship in Summer 26
2026-06-16